Pivotal Knowledge Base

Follow

PCF Advisory - SAML Service Provider Credential certificates expire after 2 years

Environment

  • Pivotal Elastic Runtime 1.9+
  • Pivotal Cloud Foundry

Purpose

Elastic Runtime UAA service holds a certificate which signs outbound communication to external SAML Identity Provider. This certificate has a 2 year expiration period and requires regeneration after this time.

This certificate is used to sign SAML authentication request sent to Identity Provider - it is sent for extra security and impact of rotated certificate will depend on validation of IdP

Prerequisites

SAML Service Provider Credentials should only have an impact if the answer is all 'yes' to these questions:

  1. Are you using SSO in production for apps?
  2. If yes, are you using SAML Identity Providers for SSO service plans?
  3. If yes, did you have Ops Manager generate a certificate for you? (this is done by using the Generate RSA Certificate button in Ops Manager)
  4. If yes, are you validating the signature of SAML authentication request on the Identity provider side?

Procedure 

Validate expiration time of certificate:

For Elastic Runtime >= 1.11.x, navigate to:
Elastic Runtime > UAA > SAML Service Provider Credentials

Screen_Shot_2017-12-12_at_4.02.53_PM.png

For Elastic Runtime <= 1.10.x, navigate to:
Elastic Runtime > Authentication & SSO > Service Provider Credentials 

Screen_Shot_2017-12-12_at_4.02.45_PM.png

Copy the contents of certificate into a temporary file. (for example test.pem)

Execute the following command to validate the expiration time on the certificate.

# openssl x509 -enddate -noout -in test.pem
notAfter=Dec  7 21:01:04 2017 GMT

Alternatively, you can follow steps to check by OpsManager API in article: https://discuss.pivotal.io/hc/en-us/articles/115015525088-PCF-Advisory-Internal-certificates-expire-2-years-after-installation

$ curl "https://OPS-MAN-FQDN/api/v0/deployed/certificates?expires_within=6m" \
-H "Authorization: Bearer YOUR-UAA-ACCESS-TOKEN"

Find the certificate with property uaa.service_provider_key_credentials and validate expiration:

example:
"field "property_reference":".uaa.service_provider_key_credentials"..."valid_until":"2019-06-14T11:37:11Z"

Rotating SAML Service Provider Credential certificate

If the certificate is nearing expiration then it needs to be regenerated.

This will only be disruptive if Elastic Runtime is configured to use SSO / SAML and IdP is validating the requests, in which case new certificate will need to imported to the IDP.

Perform the following steps:

  1. Arrange for IdP admin to be available before certificate expiration occurs.
  2. Disable cert validation on IdP end.
  3. Generate new certificate on production by clicking `generate` option under SAML Service Provider Credential:
    Screen_Shot_2017-12-12_at_4.33.23_PM.png
  4. Import the new certification to your IdP:
    https://docs.pivotal.io/pivotalcf/1-12/opsguide/auth-sso.html#configure-saml-for-pcfThese step will vary depending on which SAML provider that you are using:
    If using ADFS, see: https://docs.pivotal.io/p-identity/1-3/adfs/config-adfs.html
    If using CA SSO, see: https://docs.pivotal.io/p-identity/1-3/ca-sso/config-ca-sso.html
    If using OKTA, see: https://docs.pivotal.io/p-identity/1-3/okta/config-okta.html
    If using PingFederate, see: https://docs.pivotal.io/p-identity/1-3/pingfederate/config-pingfederate.html
  5. Re-enable certification validation on IdP.
  6. Validate system functionality

Additional Information

Guide on importing certificates to SSO provider: https://docs.pivotal.io/pivotalcf/1-12/opsguide/auth-sso.html#configure-saml-for-pcf

Reference on using OpsManager API https://docs.pivotal.io/pivotalcf/1-10/customizing/ops-man-api.html

Reference guide on rotating and regenerating certs in PCF https://docs.pivotal.io/pivotalcf/1-12/security/pcf-infrastructure/api-cert-rotation.html

Comments

Powered by Zendesk